From 024a768243fa44ebef092881639756ea582d2af6 Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Wed, 14 Jan 2026 10:04:24 +0100 Subject: [PATCH] fix(crowdsec-dashboard): Get country data from alerts instead of decisions CrowdSec decisions don't contain country data. GeoIP enricher adds country info to alerts (source.cn or source.country field). Co-Authored-By: Claude Opus 4.5 --- .../usr/libexec/rpcd/luci.crowdsec-dashboard | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/package/secubox/luci-app-crowdsec-dashboard/root/usr/libexec/rpcd/luci.crowdsec-dashboard b/package/secubox/luci-app-crowdsec-dashboard/root/usr/libexec/rpcd/luci.crowdsec-dashboard index fde5a5c2..d3b67895 100755 --- a/package/secubox/luci-app-crowdsec-dashboard/root/usr/libexec/rpcd/luci.crowdsec-dashboard +++ b/package/secubox/luci-app-crowdsec-dashboard/root/usr/libexec/rpcd/luci.crowdsec-dashboard @@ -291,14 +291,23 @@ get_dashboard_stats() { json_add_string "top_scenarios_raw" "[$scenarios]" - # Top countries (from decisions) + # Top countries (from alerts - GeoIP enriched) local countries - countries=$(run_cscli decisions list -o json 2>/dev/null | \ - jsonfilter -e '@[*].country' 2>/dev/null | \ - sort | uniq -c | sort -rn | head -10 | \ + countries=$(run_cscli alerts list -o json --limit 500 2>/dev/null | \ + jsonfilter -e '@[*].source.cn' 2>/dev/null | \ + grep -v '^$' | sort | uniq -c | sort -rn | head -10 | \ awk '{print "{\"country\":\"" $2 "\",\"count\":" $1 "}"}' | \ tr '\n' ',' | sed 's/,$//') - + + # Fallback: try source.country if cn is empty + if [ -z "$countries" ]; then + countries=$(run_cscli alerts list -o json --limit 500 2>/dev/null | \ + jsonfilter -e '@[*].source.country' 2>/dev/null | \ + grep -v '^$' | sort | uniq -c | sort -rn | head -10 | \ + awk '{print "{\"country\":\"" $2 "\",\"count\":" $1 "}"}' | \ + tr '\n' ',' | sed 's/,$//') + fi + json_add_string "top_countries_raw" "[$countries]" json_dump